Platform: Code4rena
Start Date: 05/10/2023
Pot Size: $33,050 USDC
Total HM: 1
Participants: 54
Period: 6 days
Judge: hansfriese
Id: 294
League: ETH
Rank: 50/54
Findings: 1
Award: $5.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: thekmj
Also found by: 0x3b, 33BYTEZZZ, Bauchibred, Chom, Dravee, J4X, Limbooo, Maroutis, MiloTruck, MrPotatoMagic, SBSecurity, Sathish9098, Tadev, ZanyBonzy, adam-idarrha, adriro, btk, hyh, lukejohn, nmirchev8, peakbolt, radev_sw, rvierdiiev
5.4311 USDC - $5.43
immutableThe token state variable can be declared as immutable since there is no possibility of the ENS contract address being updated in the future. This declaration can lead to gas savings.
Manual Review
Declare the ENS token as immutable:
ERC20Votes public immutable token;
delegateMulti to Prevent Out-of-Gas IssuesThe current implementation of the delegateMulti function does not have a check to limit the size of the input array, which can result in potential out-of-gas transactions when users stake a large number of ENS tokens to numerous delegates.
Manual Review
To address this issue, it's recommended to set an upper limit on the size of the input array based on thorough testing and revert the transaction if it exceeds the defined limit. This will help prevent out-of-gas issues.
delegateMulti ArrayThe current implementation of the delegateMulti function lacks validation for zero-value inputs in the array. Two examples that illustrate this are users delegating tokens to a zero address and users passing a zero value as an amount. While there may not be a direct security risk, it is advisable to implement these sanity checks to ensure robustness and user-friendliness.
Manual Review
Implement basic sanity checks in the _processDelegation, _reimburse, and createProxyDelegatorAndTransfer functions to verify zero-value inputs.
_reimburse Similar to _processDelegationThe _processDelegation function includes a check on the source's ERC1155 token balance before transferring tokens to the target. However, this same check is missing in the _reimburse function.
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L129-L131 https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L144
Manual Review
Add a balance check in the _reimburse function, similar to the one in _processDelegation.
function _reimburse(address source, uint256 amount) internal { uint256 balance = getBalanceForDelegate(source); require(amount <= balance, "Insufficient balance for reimbursement"); // Rest of the code }
from and to Addresses in transferBetweenDelegatorsThe transferBetweenDelegators function is used to transfer ENS token delegations, but it lacks a check to ensure that the from and to addresses are different. Currently, the code executes without any issues even if both addresses are the same, resulting in unnecessary gas consumption to update the same variables and mint and burn ERC1155 tokens for no functional reason. This can lead to a suboptimal user experience.
Manual Review
Add a check and revert the transaction if the from and to addresses are the same.
require(from != to, "From and to addresses must be different");
abi.encode instead of abi.encodePackedThe current code employs abi.encodePacked for generating hashes by passing different types of parameters. While this approach works, it presents a potential issue due to differences in packed encoding for different types. It's less likely that this will be a critical problem, but using abi.encode instead of abi.encodePacked is a more robust approach to ensure consistent behavior across different parameter types. This change improves code reliability and consistency.
Manual Review
Use abi.encode instead of abi.encodePacked
#0 - c4-pre-sort
2023-10-13T12:43:50Z
141345 marked the issue as sufficient quality report
#1 - c4-judge
2023-10-24T16:13:21Z
hansfriese marked the issue as grade-b